They set a framework - which isn't bad at all. It's interpretation of that framework that is the problem.
Sent from my iPhone On 31 Jan 2012, at 22:38, "Gavin Hamill" <[email protected]> wrote: > On Tue, 2012-01-31 at 21:02 +0000, Tom Hill wrote: >> On 31/01/12 15:35, Leo Vegoda wrote: >>>> I note that PCI DSS poses a problem for IPv6, in that section 1.3.8 >>>> (my copy is dated October 2010) mandates that private IP addresses >>>> (they clearly mean RFC1918) are not revealed to or routable from the >>>> internet (my paraphrasing). >>> >>> Are RFC 4193 addresses not substitutable? >> >> Indeed, how 'clearly' do they insinuate RFC1918? "private IP addresses" >> would cover both IPv4 & IPv6 equivalents, even if I do have to take my >> anti-cynicism pills to get there. > > The exact text of requirement 1.3.8: [1] > > 1.3.8 Do not disclose private IP > addresses and routing information to > unauthorized parties. > > Note: Methods to obscure IP > addressing may include, but are not > limited to: > Network Address Translation (NAT) > Placing servers containing > cardholder data behind proxy > servers/firewalls or content caches, > Removal or filtering of route > advertisements for private networks > that employ registered addressing, > Internal use of RFC1918 address > space instead of registered > addresses. > > PCI-DSS gets a lot of bad press (mainly for the genius of the card > industry for being able to shift the risk to every merchant on the > planet) but is generally founded in common sense. The problem tends to > be with auditors who have a long list of boxes to tick and remarkably > little IT / networks understanding. > > Cheers, > Gavin. > > [1] https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf > > > >
